As we continue to investigate events related to Fidelis Threat Advisory #1017: Phishing in Plain Sight which detailed a new spearphishing campaign using CVE-2014-4114 and the subsequent targeting of pro-democracy activists in Hong Kong we have discovered some interesting files in a phishing email that had 0/57 detections on VirusTotal.
Another .pps file with MD5 1c471ef83e11d35219ccec01f328c0b1 and filename dhl-tracking-redirecting-parcel-0967789292.pps was observed in the transportation vertical in the United States, United Arab Emirates and Hong Kong. The title page of the slideshow simply says “Hello Animagus” and the second page says “Please visit our website for tracking.”
Screen Shots of Powerpoint Slides:
It loads two files, penguin.exe (MD5: 01c334e60eb8900f7c1238ad0fbcb406) and RwFLOJaBA (MD5: 6781e99435fed1ff118968d73450b7e3) and appears to load Pony Bot. It makes HTTP POST requests to the C2 with the following paths: /rital/gate.php and /rital/admin.php.